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1  Administrative 

ARO  grant  number:  W91  INF-05-1-0158. 

Project  title:  EXTRACTING  FORMAL  MODELS  FROM  INFORMAL  REQUIREMENTS  AND 
USING  THEM  FOR  VALIDATION. 

Duration  of  the  grant:  4/15/05  -  4/15/08. 

Program  Manager: 

Dr.  David  Hislop,  Army  Research  Office 
Principal  Investigator: 

Prof.  Insup  Lee,  University  of  Pennsylvania 

Institution: 

University  of  Pennsylvania 
3451  Walnut  Street  Room  P221 
Philadelphia,  PA  19104 

Project  Team: 

University  of  Pennsylvania  Prof.  Insup  Lee 

Prof.  Aravind  Joshi 


2  Program  Objective 

The  goal  of  the  project  is  to  study  formalization  of  regulations  and  regulatory  compliance.  Tech¬ 
nical  objectives  involve  addressing  two  verification  problems: 
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•  Consistency  of  regulation 

Compliance  can  be  achieved  only  if  the  regulation  is  internally  consistent.  This  verification 
problem  answers  the  question  whether  any  organization  is  capable  of  complying  with  the 
regulation. 

•  Compliance  of  organizations 

This  verification  problem  answers  the  question  whether  the  operation  of  an  organization 
complies  with  the  regulation. 

Formalization  and  verification  questions  were  studies  in  the  context  of  a  case  study  that  con¬ 
cerns  regulation  of  blood  banks  by  the  U.S.  Food  and  Drug  Administration  in  the  Code  of  Federal 
Regulations  that  the  administration  publishes. 


3  Technical  Approach 

Our  approach  was  to  translate  regulation  into  a  collection  of  deontic  logic  formulas.  The  transla¬ 
tion  involved  manual  annotation  of  a  substantially  large  fragment  of  the  regulation,  followed  by 
automated  parser  training.  Once  the  translation  was  complete,  we  performed  static  verification 
(model  checking,  conformance  testing)  on  DBSS,  a  software  system  for  blood  bank  management. 
Verification  aimed  to  established  whether  compliance  is  ensured  by  the  given  software. 

We  also  explored  a  runtime  verification  approach.  Runtime  verification  is  a  technique  for 
monitoring  execution  traces  for  compliance.  Verification  is  performed  on  a  log  of  operations  and 
determines  whether  performed  operations  are  compliant  with  the  regulation. 


4  Accomplishments 

The  two  major  accomplishments  of  this  project  are  the  run-time  verification  framework  for  reg¬ 
ulatory  trace  compliance  and  the  application  of  conformance  testing  to  regulatory  compliance  of 
software. 


4.1  Formalization  of  regulatory  documents 

We  have  developed  a  translation  scheme  based  on  Natural-Language  Processing  (NLP)  techniques. 
Regulatory  documents  are  translated  one  sentence  at  a  time,  preserving  the  structure  of  the  regula¬ 
tion.  This  techniques  has  two  important  advantages: 
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•  Structural  mapping  enhances  traceability.  Whenever  a  violation  is  discovered,  our  translation 
allows  the  verification  process  to  identify  the  statement  in  the  original  regulatory  document 
that  was  violated. 

•  Efficiency  of  the  parser  is  improved,  since  NLP  techniques  work  best  at  sentence  level. 

An  important  feature  of  our  formalization  approach  is  the  explicit  representation  of  exceptions 
that  are  omnipresent  in  regulatory  documents.  That  is,  obligations  stipulated  in  a  regulatory  state¬ 
ment  are  predicated  on  exceptions  described  elsewhere  in  the  document.  Exceptions  are  handled 
by  means  of  the  reference  operator,  a  new  modal  operator  in  our  logic,  along  with  the  deontic 
operators  of  permission  and  obligation.  These  new  modal  operators  are  embedded  into  linear-time 
temporal  logic  (LTL),  a  commonly  used  formalism  for  capturing  behavioral  and  temporal  require¬ 
ments. 

Conformance  checking  is  based  on  existing  runtime  verification  algorithms  for  LTL.  The  com¬ 
plication  introduced  by  our  formal  representation  lies  in  the  handling  of  references.  Our  algorithm 
resolves  references  on  the  fly  by  means  of  annotations  that  are  obtained  by  a  fixed  point  operator. 
We  have  implemented  a  prototype  checker  for  our  logic  and  applied  it  to  a  fragment  of  the  blood 
bank  regulation. 


4.2  Conformance  testing  of  the  DBSS  system 

Defense  Blood  Standard  System  (DBSS)  is  the  DoD-developed  software  system  for  the  manage¬ 
ment  of  blood  bank  operations.  In  our  case  study,  we  explored  compliance  of  the  DBSS  to  EDA 
CLR  610.40  regulation.  The  case  study  identified  incompleteness  in  the  regulation,  where  in¬ 
conclusive  test  outcomes  could  be  ignored.  We  have  implemented  automatic  test  generator  from 
formal  requirements  and  an  automatic  test  execution  engine  that  executed  the  generated  tests.  We 
have  observed  several  failed  tests  during  the  execution  of  the  test  suite.  Tailed  tests  corresponded  to 
ambiguous  requirements  specified  in  the  regulation.  Incompleteness  in  the  regulation  was  resolved 
differently  in  the  implementation  and  in  test  generation. 


5  Suggestions  for  the  Future 

Overall,  the  project  led  to  a  number  of  successful  developments  that  have  reached,  or  are  close 
to  reaching,  the  technology  transfer  stage.  At  the  same  time,  a  number  of  hard  open  problems 
in  the  area  of  formalization  of  regulatory  documents  and  conformance  checking  remain.  While 
academic  research  will  be  able  to  make  further  progress  towards  solving  these  problems,  its  full 
potential  will  be  realized  only  through  team  projects  that  bring  together  academic  researchers  with 
domain  experts  from  industry. 
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Goals  of  the  project 

•  Formalization  of  regulations  and  regulatory 
compliance 

•  Two  verification  problems 

-  Consistency  of  regulation 

•  Can  compliance  be  achieve?  Only  if  the  regulation 
is  internally  consistent! 

-  Compliance  of  organizations 

•  Does  operation  of  an  organization  comply  with  the 
regulation 

•  Case  study 

-  Regulation  of  blood  banks 
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Technical  approach 

•  Translate  regulation  into  a  deontic  logic 

-  Manual  annotation 

-  Automated  parser  training 

•  Static  verification  (model  checking, 
conformance  testing) 

-  Given  the  software  for  blood  bank 
management,  is  compliance  ensured? 

•  Runtime  verification  (monitor  trace  for 
compliance) 

-  Given  a  log  of  operations,  is  it  compliant? 
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Formalizing  regulation 

•  Approach:  regulatory  documents  are  translated 
one  sentence  at  a  time 

-  Enhance  traceability  via  structural  mapping 

-  NLP  techniques  more  efficient  at  sentence 
level 

•  Challenge:  cross-references  between  sentences 

-  E.g.,  actions  are  predicated  on  exceptions 
described  elsewhere 

•  Solution:  extend  temporal  logic  with  operators 
for  obligation,  permission  and  references 
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Annotation  and  translation  to  logic 

Except  as  specified  in  paragraphs  (c)  and  (d),  each  donation  must 
be  tested  for  the  following  diseases 
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Runtime  checking  of  compliance 

•  Reference  logic  RefL 

-  Extends  predicate  LTL  with  deontic 
operators  for  permission  and  obligation 

-  Introduces  operator  byL(4>),  where  L  is  a 
statement  label  that  captures  references 

•  Checking  based  on  runtime  verif  ication 
algorithms  for  LTL 

-  Algorithm  resolves  references  on  the  fly  by 
means  of  annotations 

-  Prototype  checker  implemented 
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Static  verification:  case  study 

•  Defense  Blood  Standard  System  (DBSS) 

-  DoD-developed  software 

-  Compliance  to  FDA  CFR  610.40 

•  Identified  incompleteness  in  the  regulation 

-  Inconclusive  test  outcomes  are  ignored 

•  Technical  approach:  conformance  testing 

-  Automatic  test  generation  from  formal  requirements 

-  Automatic  test  execution  engine  implemented 

-  Failed  tests  correspond  to  ambiguous  requirements 

•  Incompleteness  resolved  differently  in  implementation  and 
test  generation 
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Personnel 

•  Faculty 

-  Aravind  Joshi 

-  Insup  Lee 

•  Graduate  students 

-  Nikhil  Dinesh 

•  NLP,  logic,  formalization 

-  Michael  May 

•  Policy  formalization,  logic 

-  David  Arney 

•  Formalization,  conformance  testing 
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Collaborations 


•  The  project  is  a  collaborative  effort  between 
the  NLP  (Joshi)  and  formal  methods  (Lee) 
groups  at  Penn 

-  Nikhil  Dinesh,  a  Ph.D.  student,  is  co¬ 
supervised  by  both  Pis 

•  Extensive  collaboration  with  the  FDA  on  the 
CFR  formalization 

•  Collaboration  with  DoD's  Clinical  Information 
Technology  Program  Office  on  DBSS 

•  Initiated  collaboration  with  TATRC  on 
validation  w.r.t.  informal  requirements 
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Publications 


•  5  peer-reviewed  conference  /  workshop  papers 

1.  Nikhil  Dinesh,  Aravind  Joshi,  Insup  Lee  and  Bonnie  Webber.  Extracting  Formal  Specifications  from 
Natural  Language  Regulatory  Documents,  Proceedings  of  the  Fifth  International  Workshop  on  Inference 
in  Computational  Semantics  (ICoS-5),  Buxton,  England  (2006) 

2.  Nikhil  Dinesh,  Aravind  Joshi,  Insup  Lee  and  Oleg  Sokolsky,  Logic-based  Regulatory  Conformance 
Checking,  Proceedings  of  the  Fourteenth  Monterey  Workshop,  September  2007,  Monterey,  CA. 

3.  Nikhil  Dinesh,  Aravind  Joshi,  Insup  Lee  and  Oleg  Sokolsky,  Checking  Traces  for  Regulatory  Conformance, 
Proceedings  of  the  Workshop  on  Runtime  Verification  (RV),  March  2008,  Budapest,  Hungary.  To  appear. 

4.  Michael  J.  May,  Wook  Shin,  Carl  A.  Gunter,  and  Insup  Lee.  Securing  the  Drop-box  Architecture  for 
Assisted  Living.  In  4th  ACM  Workshop  on  Formal  Methods  in  Security  Engineering:  From  Specifications 
to  Code.  November  2006.  Fairfax,  VA. 

5.  Michael  J.  May,  Carl  A.  Gunter,  and  Insup  Lee.  Privacy  APIs:  Access  Control  Techniques  to  Analyze  and 
Verify  Legal  Privacy  Policies.  In  19th  IEEE  Computer  Security  Foundations  Workshop  (CSFW).  July  2006. 
Venice,Italy. 

•  2  papers  submitted  to  conference 

1.  Nikhil  Dinesh,  Aravind  Joshi,  Insup  Lee  and  Oleg  Sokolsky,  Reasoning  about  Conditions  and  Exceptions  to 
Laws  in  Regulatory  Conformance  Checking.  In  submission. 

2.  Michael  J.  May,  Nikhil  Dinesh,  Insup  Lee,  and  Carl  A.  Gunter.  Formalizing  and  Comparing  Regulatory  Usage 
and  Disclosure  Rules.  In  submission. 
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